Sunday, January 13, 2013

Some De-obfuscation notes on CritXPack Exploit Kit at root(.)kaovo.com

This is a quick memo of a crusade event, our encounter notes with CritXPack Exploit Kit, I think this will help others, so I dare to make documentation of the findings here as a guide. This is actually based on my memo so please bear the brief & incomplete explanation here and there.
Since we are focusing to the deobfuscation malware codes manually, I'm sorry that the payload information will not be included in this post (considering that the know-how on exploit kit's obfuscation is the target, thus the moronz can change the payload to anything they want anyway).

BTW, capture of the infected(?), I'd say an INFECTOR, site: (clean this up!)
The infector site's domain name is having Chinese registrant data:

Use the ↑above logic & both obfs code will be burped deobfs code below:
The second url will forward you to google, but -
the first link's url if we download the source & see the inside, it contains
the suspicious link as per below:
I fetched it like this:

The Landing Page Script

The i.php file contains 2 lines of the obfuscation script.
It is the landing page of CritX Exploit Kit
Let's make it more "viewable" structure :-)
With the below explanation:

1. The pd.js is the PluginDetect 0.7.9 used to guard the pages of this EK.
unlike the other EK, it is in seperated download and
shared to other infector files.
2. The obfuscation code is found in the script, after passed checks on pd.js,
it was a packed script as per shown in line 9.
3. There is a direct download infector in line 14 w/meta refrash tag method.
4. The moronz put the variable used for deobfuscation in other part (line 18).

Decoding Obfuscation Infector Script

So how to decode the infector part? Let's see the good structure first:
It is a simple structure, by feeding the generator by obfuscation data with
eliminating garbages/unnecessary code we can get the deobfuscation script
saved in the "e" variable here -->>[PASTEBIN]
Seeing the codes, we'll see the infector is aiming to check your java version:
(by fetching result from PluginDetect 0.7.9)

About #MalwareMustDie!

Since malwares are becoming a serious threat in the internet and computer industry. We are now coming to the stage to admit the fact that malwares are actually winning this longest 15+ years historical battle by keep on infecting and conducting their evil scheme until now....[Read More]